fix: block join role escalation and add username format validation

[ankushchk]

Changes

api_join role escalation fix

The /api/join endpoint is meant for users to enroll themselves into an activity. But it was accepting a role field from the request body, which meant any authenticated user could send {"role": "instructor"} or {"role": "organizer"} and get stored with elevated privileges. Since this is a self-enrollment endpoint (it uses the user's own ID from their token), the role should always be "participant". If hosts need to assign instructor/organizer roles to other users in the future, that should be a separate endpoint with ownership checks.

api_register username format validation

No validation existed on the username field. Any string was accepted, including spaces (hello world), HTML (<script>), single characters, or extremely long strings. Added a regex check [a-zA-Z0-9_]{3,30} so usernames must be 3 to 30 characters using only letters, numbers, and underscores.

Testing

• Joined with {"role": "instructor"} in the body, confirmed the stored role is participant
• Tried registering with <script>, hello world, ab as usernames, all rejected with a clear error message
• Normal registration and login still work

Summary

This PR addresses two security and validation concerns in the authentication and course enrollment endpoints:

Key Changes

1. Role Escalation Prevention in /api/join

• Removed support for the role parameter in the request body
• The endpoint now unconditionally sets the enrolled user's role to "participant", preventing self-elevation to "instructor" or "organizer"
• Host-driven role assignments are deferred to a separate endpoint requiring proper ownership verification

2. Username Format Validation in /api/register

• Added regex validation requiring usernames to match [a-zA-Z0-9_]{3,30} (3–30 characters; alphanumeric and underscores only)
• Prevents invalid usernames containing spaces, HTML/script tags, single-character names, and excessively long strings
• Validation occurs early in the request processing, before password validation

Impact

• Security: Eliminates a privilege escalation vulnerability where users could arbitrarily assign themselves elevated roles
• User Experience: Registration now provides clear feedback on username format requirements; normal registration and login flows remain unaffected
• Code: Minimal changes (+4/-3 lines) localized to src/worker.py

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: alphaonelabs/coderabbit/.coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 9808a69e-2992-4339-a3d4-b013e536bc43

📥 Commits

Reviewing files that changed from the base of the PR and between d6e1a9c and 66836f0.

📒 Files selected for processing (1)

• src/worker.py

---

Walkthrough

Two API endpoints in src/worker.py received validation refinements: the registration endpoint now enforces username format validation (alphanumeric and underscore, 3–30 characters) before other checks, and the join endpoint now always sets role to "participant" instead of reading it from the request body.

Changes

Cohort / File(s)	Summary
API Validation Enhancements src/worker.py	api_register: Added username format validation using regex before password checks proceed. api_join: Removed dynamic role assignment from request body; role is now fixed to "participant" after activity ID validation.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes both main changes: blocking role escalation in the join endpoint and adding username format validation in registration.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}